Overview

overview

10

Static

static

3

7a1e33481b...18.exe

windows7-x64

6

7a1e33481b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a1e33481b7164e593982cc8bca49b83_JaffaCakes118

  • Size

    120KB

  • Sample

    240527-xac3haeg42

  • MD5

    7a1e33481b7164e593982cc8bca49b83

  • SHA1

    cbeb5da1d01ea56a990943cf27c3698770fe3d84

  • SHA256

    ccff91f0cf57fc3901a024eab0a887f3ce63a3224b326c4cb1f284cc3f126b6d

  • SHA512

    f1b4abfba68c2ee7a956f81065855809839a2c889382e98240f2851893a2daaf8a22305e98ebcd22ded4edd3d9fd60cde5ff3cc1867605313cd49b0b40a69ec9

  • SSDEEP

    1536:uCjGsIaJ4BPgPVLpmPzR5fQp3ER1XYk62HOX5H3GIJbEb1:oszC1k0zvOkrgd2Iqb1

Score
10/10
guloaderdownloaderguloaderpersistence

Malware Config

Extracted

Family

guloader

C2

https://drive.google.com/uc?export=download&id=1BPx9dF6DggO5Qb7FQa0lwTupTGugkBrY

xor.base64

Targets

    • Target

      7a1e33481b7164e593982cc8bca49b83_JaffaCakes118

    • Size

      120KB

    • MD5

      7a1e33481b7164e593982cc8bca49b83

    • SHA1

      cbeb5da1d01ea56a990943cf27c3698770fe3d84

    • SHA256

      ccff91f0cf57fc3901a024eab0a887f3ce63a3224b326c4cb1f284cc3f126b6d

    • SHA512

      f1b4abfba68c2ee7a956f81065855809839a2c889382e98240f2851893a2daaf8a22305e98ebcd22ded4edd3d9fd60cde5ff3cc1867605313cd49b0b40a69ec9

    • SSDEEP

      1536:uCjGsIaJ4BPgPVLpmPzR5fQp3ER1XYk62HOX5H3GIJbEb1:oszC1k0zvOkrgd2Iqb1

    Score
    10/10
    persistenceguloaderdownloaderguloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Guloader payload

      guloader

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks